CVE-2026-3063

Medium

Published: 23 February 2026

Published

23 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS Score 0.0001 0.6th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3063 is a medium-severity an unspecified weakness vulnerability in Google Chrome. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Extensions (T1176.001); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Extensions (T1176.001) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1176.001 Browser Extensions Persistence

Adversaries may abuse internet browser extensions to establish persistent access to victim systems.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Vulnerability is directly triggered by a malicious browser extension (T1176.001) after user installation/execution of that extension (T1204.002), enabling unauthorized script/HTML injection into privileged DevTools pages.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-3063 is an inappropriate implementation vulnerability in the DevTools component of Google Chrome prior to version 145.0.7632.116. It enables an attacker who convinces a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. The issue affects Chromium-based browsers, with a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) and High severity as rated by Chromium security.

The attack requires an attacker to socially engineer a user into installing a malicious browser extension, which then exploits DevTools to perform script or HTML injection on privileged pages. Successful exploitation results in low-impact confidentiality and integrity violations, such as limited unauthorized data access or content modification, with no availability impact and requiring user interaction.

Mitigation is provided in the Google Chrome stable channel update to version 145.0.7632.116 or later, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html. Additional technical details are documented in the Chromium issue tracker at https://issues.chromium.org/issues/485287859. Security practitioners should advise users to update promptly and exercise caution with extension installations.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

google

chrome

≤ 145.0.7632.116 · ≤ 145.0.7632.117

CVEs Like This One

CVE-2026-2319Same product: Apple Macos

CVE-2026-4458Same product: Apple Macos

CVE-2026-3539Same product: Apple Macos

CVE-2026-5287Same product: Apple Macos

CVE-2026-5908Same product: Apple Macos

CVE-2026-5904Same product: Apple Macos

CVE-2026-6305Same product: Apple Macos

CVE-2025-8576Same product: Apple Macos

CVE-2026-6306Same product: Apple Macos

CVE-2026-4455Same product: Apple Macos

References

https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html
Release Notes · chrome-cve-admin@google.com
https://issues.chromium.org/issues/485287859
Issue Tracking, Permissions Required · chrome-cve-admin@google.com